Claims
- 1. A method for managing user sessions within a distributed data processing system, the method comprising:
in response to determining to logoff a user on a system within a first domain, obtaining a list of domains at which the first domain has initiated a logon operation for the user by providing an authentication assertion; generating at a system in the first domain a logoff request message for the user for each domain in the list of domains, wherein a logoff request message comprises an authentication assertion for the user; and sending a logoff request message to each domain in the list of domains.
- 2. The method of claim 1 further comprising:
receiving at a system in the first domain a request from a client operated by the user to initiate a logoff operation; and determining to logoff the user based on the request from the user.
- 3. The method of claim 1 wherein the user accesses a logoff resource at a system in the first domain.
- 4. The method of claim 1 further comprising:
receiving at a system in the first domain a logoff request message from a system in a second domain to initiate a logoff operation for the user; and determining to logoff the user based on the request from a system in the second domain.
- 5. The method of claim 4 wherein a logoff request message is a SOAP (Simple Object Access Protocol) publish message.
- 6. The method of claim 5 wherein a system in the first domain has subscribed to logoff events.
- 7. The method of claim 5 wherein a system in the first domain has subscribed to logoff events that are specifically for the user.
- 8. The method of claim 1 wherein a logoff request message is generated by a point-of-contact server within a federated domain.
- 9. The method of claim 1 wherein a logoff request message is generated by a trust proxy server within a federated domain.
- 10. The method of claim 1 further comprising:
extracting an authentication assertion from a logoff request message at a point-of-contact server within the first domain; and forwarding the extracted authentication assertion to a trust proxy within the first domain.
- 11. The method of claim 10 further comprising:
in response to validating the extracted authentication assertion, returning to the point-of-contact server a local security token that is valid within the first domain.
- 12. The method of claim 11 further comprising:
in response to a determination of an inability to validate the extracted authentication assertion at the trust proxy, requesting a trust broker to validate the extracted authentication assertion.
- 13. A data processing system for managing user sessions, the data processing system comprising:
means for obtaining a list of domains at which the first domain has initiated a logon operation for the user by providing an authentication assertion in response to determining to logoff a user on a system within a first domain; means for generating at a system in the first domain a logoff request message for the user for each domain in the list of domains, wherein a logoff request message comprises an authentication assertion for the user; and means for sending a logoff request message to each domain in the list of domains.
- 14. The data processing system of claim 13 further comprising:
means for receiving at a system in the first domain a request from a client operated by the user to initiate a logoff operation; and means for determining to logoff the user based on the request from the user.
- 15. The data processing system of claim 13 wherein the user accesses a logoff resource at a system in the first domain.
- 16. The data processing system of claim 13 further comprising:
means for receiving at a system in the first domain a logoff request message from a system in a second domain to initiate a logoff operation for the user; and means for determining to logoff the user based on the request from a system in the second domain.
- 17. The data processing system of claim 16 wherein a logoff request message is a SOAP (Simple Object Access Protocol) publish message.
- 18. The data processing system of claim 17 wherein a system in the first domain has subscribed to logoff events.
- 19. The data processing system of claim 17 wherein a system in the first domain has subscribed to logoff events that are specifically for the user.
- 20. The data processing system of claim 13 wherein a logoff request message is generated by a point-of-contact server within a federated domain.
- 21. The data processing system of claim 13 wherein a logoff request message is generated by a trust proxy server within a federated domain.
- 22. The data processing system of claim 13 further comprising:
means for extracting an authentication assertion from a logoff request message at a point-of-contact server within the first domain; and means for forwarding the extracted authentication assertion to a trust proxy within the first domain.
- 23. The data processing system of claim 22 further comprising:
means for returning to the point-of-contact server a local security token that is valid within the first domain in response to validating the extracted authentication assertion.
- 24. The data processing system of claim 23 further comprising:
means for requesting a trust broker to validate the extracted authentication assertion in response to a determination of an inability to validate the extracted authentication assertion at the trust proxy.
- 25. A computer program product in a computer readable medium for managing user sessions in a data processing system, the computer program product comprising:
means for obtaining a list of domains at which the first domain has initiated a logon operation for the user by providing an authentication assertion in response to determining to logoff a user on a system within a first domain; means for generating at a system in the first domain a logoff request message for the user for each domain in the list of domains, wherein a logoff request message comprises an authentication assertion for the user; and means for sending a logoff request message to each domain in the list of domains.
- 26. The computer program product of claim 25 further comprising:
means for receiving at a system in the first domain a request from a client operated by the user to initiate a logoff operation; and means for determining to logoff the user based on the request from the user.
- 27. The computer program product of claim 25 wherein the user accesses a logoff resource at a system in the first domain.
- 28. The computer program product of claim 25 further comprising:
means for receiving at a system in the first domain a logoff request message from a system in a second domain to initiate a logoff operation for the user; and means for determining to logoff the user based on the request from a system in the second domain.
- 29. The computer program product of claim 28 wherein a logoff request message is a SOAP (Simple Object Access Protocol) publish message.
- 30. The computer program product of claim 29 wherein a system in the first domain has subscribed to logoff events.
- 31. The computer program product of claim 29 wherein a system in the first domain has subscribed to logoff events that are specifically for the user.
- 32. The computer program product of claim 25 wherein a logoff request message is generated by a point-of-contact server within a federated domain.
- 33. The computer program product of claim 25 wherein a logoff request message is generated by a trust proxy server within a federated domain.
- 34. The computer program product of claim 25 further comprising:
means for extracting an authentication assertion from a logoff request message at a point-of-contact server within the first domain; and means for forwarding the extracted authentication assertion to a trust proxy within the first domain.
- 35. The computer program product of claim 34 further comprising:
means for returning to the point-of-contact server a local security token that is valid within the first domain in response to validating the extracted authentication assertion.
- 36. The computer program product of claim 35 further comprising:
means for requesting a trust broker to validate the extracted authentication assertion in response to a determination of an inability to validate the extracted authentication assertion at the trust proxy.
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] The present application is related to the following applications with a common assignee:
[0002] U.S. patent apllication Ser. No. (Attorney Docket Number CH920020006), filed (TBD), titled “Efficient browser-based identity management providing personal control and anonymity”;
[0003] U.S. patent apllication Ser. No. (Attorney Docket Number AUS920020410US1), filed ______/2002, titled “Method and System for Proof-of-Possession Operations Associated with Authentication Assertions in a Heterogeneous Federated Environment”;
[0004] U.S. patent apllication Ser. No. (Attorney Docket Number AUS920020411US1), filed ______/2002, titled “Local Architecture for Federated Heterogeneous System”;
[0005] U.S. patent apllication Ser. No. (Attorney Docket Number AUS920020412US1), filed ______/2002, titled “Method and System for Attribute Exchange in a Heterogeneous Federated Environment”;
[0006] U.S. patent apllication Ser. No. (Attorney Docket Number AUS920020413US1), filed ______/2002, titled “Method and System for Authentication in a Heterogeneous Federated Environment”; and
[0007] U.S. patent apllication Ser. No. (Attorney Docket Number AUS920020486US1), filed ______/2002, titled “Method and System for Native Authentication Protocols in a Heterogeneous Federated Environment”.